Colocation Compliance: Get support to Protect your Business
Overview
Get Colocation Compliance Solutions
Most top-tier colocation centers are compliant with one or more standards and will have a third-party audit to verify their compliance. Make sure that the colocation center provider you choose when sourcing colocation hosting services places a strong and verifiable focus on security and reliability—as in the end, it’s your customers’ data that you’re placing in the hands of that colocation operator.
SSAE 16
SSAE 16 — The Statement on Standards for Attestation Engagements No. 16
The Statement on Standards for Attestation Engagements No. 16 replaced SAS 70 in June 2011. A SSAE 16 audit measures the controls relevant to financial reporting. Like SAS 70, the SSAE 16 standard focuses on guidance for auditors assessing financial statement controls at service organizations. This is the basis of the SOC 1 report. The SOC 2 and SOC 3 reports both look at a service organization’s controls relevant to the security, availability, or processing integrity of a service organization’s system or the privacy or confidentiality of the information the system processes.
SOC Reports
SOC 1
The first of three new Service Organization Controls reports developed by the AICPA, this report measures the controls of a data center as relevant to financial reporting. It is essentially the same as a SSAE 16 audit.
SOC 2
SOC 2 measures controls specifically related to IT and data center service providers. The five controls are security, availability, processing integrity (ensuring system accuracy, completion and authorization), confidentiality and privacy.
SOC 3
This report includes the auditor’s opinion of SOC 2 components with an additional seal of approval to be used on websites and other documents. The report is less detailed and technical than a SOC 2 report.
SOC 1 and SOC 2 are similar to SAS 70
Both have type 1 and type 2 report options:
- Type 1 – A data center’s description and assertion of controls, as reported by the company.
- Type 2 – Auditors test the accuracy of the controls and the implementation and effectiveness of controls over a specified period of time.
ISO
ISO / IEC 27001:2005 and 27001:2013 Information Security Management System Standard
ISO is the world’s largest developer and publisher of international standards. ISO certification means that providers can offer products and services which meet and exceed the specifications of their customers by implementing the quality, safety, security, environmental and energy management standards with the widest possible acceptance in the data center sector.
This is the most widely-accepted certification available for supporting information, physical security, and business continuity. ISO 27001 for data centers ensures that:
- risks and threats to the business are assessed and managed
- physical security processes such as restricted/named access are enforced consistently
- audits are conducted regularly at each site that include tests of security and cctv planning and monitoring
PCI-DSS & HIPAA
PCI-DSS Payment Card Industry Data Security Standard
The PCI Data Security Standard (PCI DSS) ensures the safe handling of sensitive information and is intended to help organizations proactively protect customer account data. For providers that don’t monitor or have access to customer data, applicability is restricted to physical security access to customer equipment through a combination of management systems and physical access safeguards and procedures.
HIPAA
Mandated by the U.S. Health and Human Services Dept., the Health Insurance Portability and Accountability Act of 1996 specifies laws to secure protected health information (PHI), or patient health data (medical records). When it comes to data centers, a hosting provider needs to meet HIPAA compliance to ensure sensitive patient information is protected. A HIPAA audit conducted by an independent auditor against the OCR HIPAA Audit Protocol can provide a documented report to prove a data center operator has the proper policies and procedures in place to provide HIPAA hosting solutions.
No other audit or report can provide evidence of full HIPAA compliance.
FedRAMP
FedRAMP - The Federal Risk and Authorization Management Program
FedRAMP provides a cost-effective, risk-based approach for the adoption and use of cloud services by making available to executive departments and agencies:
- Standardized security requirements for the authorization and ongoing cybersecurity of cloud services for selected information system impact levels;
- A conformity assessment program capable of producing consistent independent, third-party assessments of security controls implemented by Cloud Service Providers (CSPs);
- Authorization packages of cloud services reviewed by a Joint Authorization Board (JAB) consisting of security experts from the DHS, DOD, and GSA;
- Standardized contract language to help executive departments and agencies integrate FedRAMP requirements and best practices into acquisition;
- A repository of authorization packages for cloud services that can be leveraged government wide.
- FedRAMP supports the U.S. government’s mandate that all U.S. federal information systems comply with the Federal Information Security Management Act of 2002 (FISMA)
The Federal Information Security Management Act (FISMA)
United States legislation that defines a comprehensive framework to protect government information, operations and assets against natural or man-made threats. FISMA was signed into law part of the Electronic Government Act of 2002.
The National Institute of Standards and Technology (NIST) outlines nine steps toward compliance with FISMA:
- Categorize the information to be protected
- Select minimum baseline controls
- Refine controls using a risk assessment procedure
- Document the controls in the system security plan
- Implement security controls in appropriate information systems
- Assess the effectiveness of the security controls once they have been implemented
- Determine agency-level risk to the mission or business case
- Authorize the information system for processing
- Monitor the security
To learn more about Data Center Compliance, and everything about Colocation Pricing, check out this great resource!
https://stratacore.com/the-advisor/colocation-pricing-guide#compliance
Related Resources
8 Critical Redlines for IT Services Contracts
Words matter when you’re doing business and it’s easy to get trapped in a bad contract if you’re not familiar with the technology language.
Evolve Your Business with the Help of an IT Broker
IT service brokers, such as StrataCore, exist to make your life easier by becoming your dedicated expert and advocate in the technology space.
Preparing your Business for the Post COVID-19 Era
What your organization should be doing now to prepare for the post pandemic? Learn here.
Western U.S. – Data Center Market Comparison
Discover all the factors that affect your Data Center projects in the Western U.S. Find accurate information in our Data Center Market Comparison table.
Approach
STRATAGY
Technical expertise and vision to help you develop a plan or technology roadmap.
STRATACARE
Real support from real people to help with implementation, management, and billing.
What Our Clients Say
-
Steve Talt
Sr. Director, Systems @ Getty Images“StrataCore’s team worked on our behalf to source the best solution for our needs. They helped to save us valuable time and money.”
-
Wayson Vannatta
CIO @ WatchGuard"When it comes to getting IT services, colo or a security vendor, the first partner I call is StrataCore. I count on them to know the heartbeat of the market and the best options for our business needs.”
-
Brian Capps
Director, Network & Data Center @ Zillow“StrataCore hires good people, the team has been super solid and enjoyable to work with.”
-
Brian Hanson
Sr. Director, Comcast Technology Solutions @ Comcast“The StrataCore team has helped immensely over the years. I don't have to augment my team with experts - you fulfill that role.”
-
Jai Dalal
VP, Internal IT & Technical Client Services @ WideOrbit“The value that StrataCore adds to an IT department is huge. This is especially the case when you have a lean organization that doesn't have the bandwidth to vet the market to obtain strategic pricing or services.”
-
Nick Halden
Solution Architect @ Vix Technology“The StrataCore team was very valuable in terms of saving us time and money. Throughout the entire process they provided candid, insightful assessments and market intelligence that brought real value to Vix.”
-
Dan Wilson
Principal Architect III @ Concur“The StrataCore team is exceptionally talented, knows the industry, and always delivers on promises.”
-
Carey Fujii
Former IT Director @ Tableau“What I enjoy most about StrataCore is their full end-to-end service. We met, gave StrataCore our requirements, and they engaged the appropriate vendors.”
-
Clifford Cancelosi
COO @ MultiScale Health Networks“StrataCore focuses on completely understanding customer needs/timeframes/etc.They ensure that it's accurately represented to the provider community.”
-
Jason Stefanski
Chief Information Officer & Principal @ GeoEngineers“StrataCore saved us countless hours. Their knowledge of the market and negotiation tactics resulted in saving us a substantial amount. We would not hesitate to recommend them as a very trusted advisor!”
-
Benny Zaidenberg
Sr. Director, Global Data Center & IT Ops @ Amdocs“Working with StrataCore was easy. It’s the best deal and a win/win situation for both our companies.”